diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 0c577d91d4..ea0b128ef0 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,13 @@ +2011-11-02 Miguel de Dios + + * include/functions.php: added function "check_refererer" for check + refererers in some places. + + * extensions/extension_uploader.php, extensions/dbmanager.php, + operation/incidents/incident.php, operation/incidents/incident_detail.php, + godmode/servers/recon_script.php, godmode/users/configure_user.php, + godmode/tag/edit_tag.php: securized this files to XSS and CSRF attacks. + 2011-11-03 Juan Manuel Ramon * include/functions_reporting.php diff --git a/pandora_console/extensions/dbmanager.php b/pandora_console/extensions/dbmanager.php index 0040b651d4..4b73800a60 100644 --- a/pandora_console/extensions/dbmanager.php +++ b/pandora_console/extensions/dbmanager.php @@ -88,6 +88,12 @@ function dbmgr_extension_main () { require ("general/noaccess.php"); return; } + + if (!check_refererer()) { + require ("general/noaccess.php"); + + return; + } $sql = (string) get_parameter ('sql'); diff --git a/pandora_console/extensions/extension_uploader.php b/pandora_console/extensions/extension_uploader.php index ac07cce366..3978d2e1aa 100644 --- a/pandora_console/extensions/extension_uploader.php +++ b/pandora_console/extensions/extension_uploader.php @@ -17,6 +17,14 @@ function extension_uploader_extensions() { global $config; + if (!check_acl($config['id_user'], 0, "PM")) { + db_pandora_audit("ACL Violation", + "Trying to access Group Management"); + require ("general/noaccess.php"); + + return; + } + ui_print_page_header (__("Uploader extension"), "images/extensions.png", false, "", true, ""); $upload = (bool)get_parameter('upload', 0); diff --git a/pandora_console/godmode/servers/recon_script.php b/pandora_console/godmode/servers/recon_script.php index 0a362af745..0234ac867c 100644 --- a/pandora_console/godmode/servers/recon_script.php +++ b/pandora_console/godmode/servers/recon_script.php @@ -36,6 +36,12 @@ if (! check_acl ($config['id_user'], 0, "LM")) { return; } +if (!check_refererer()) { + require ("general/noaccess.php"); + + return; +} + $view = get_parameter ("view", ""); $create = get_parameter ("create", ""); diff --git a/pandora_console/godmode/tag/edit_tag.php b/pandora_console/godmode/tag/edit_tag.php index 94701ec88f..8d463465e9 100644 --- a/pandora_console/godmode/tag/edit_tag.php +++ b/pandora_console/godmode/tag/edit_tag.php @@ -21,6 +21,7 @@ require_once ($config['homedir'].'/include/functions_tags.php'); if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) { db_pandora_audit("ACL Violation", "Trying to access Edit Tag"); require ("general/noaccess.php"); + return; } @@ -31,6 +32,7 @@ $update_tag = (int) get_parameter ("update_tag", 0); $create_tag = (int) get_parameter ("create_tag", 0); $name_tag = (string) get_parameter ("name_tag", ""); $description_tag = (string) get_parameter ("description_tag", ""); +$description_tag = io_safe_input(strip_tags(io_safe_output($description_tag))); $url_tag = (string) get_parameter ("url_tag", ""); $tab = (string) get_parameter ("tab", "list"); diff --git a/pandora_console/godmode/users/configure_user.php b/pandora_console/godmode/users/configure_user.php index 914ff241b6..eae4b418d0 100644 --- a/pandora_console/godmode/users/configure_user.php +++ b/pandora_console/godmode/users/configure_user.php @@ -41,9 +41,16 @@ if (! check_acl ($config['id_user'], 0, "UM")) { db_pandora_audit("ACL Violation", "Trying to access User Management"); require ("general/noaccess.php"); + return; } +if (!check_refererer()) { + require ("general/noaccess.php"); + + return; +} + $tab = get_parameter('tab', 'user'); $buttons = array( diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php index 82592d5b17..62aea1437a 100644 --- a/pandora_console/include/functions.php +++ b/pandora_console/include/functions.php @@ -42,6 +42,28 @@ define("MIN_WIDTH",300); define("MIN_HEIGHT",120); define("MIN_WIDTH_CAPTION",420); +function check_refererer() { + global $config; + + $referer = ''; + if (isset($_SERVER['HTTP_REFERER'])) { + $referer = $_SERVER['HTTP_REFERER']; + } + + $url = 'http://'; + if ($config['https']) { + $url = 'https://'; + } + $url .= $_SERVER['SERVER_NAME'] . $config["homeurl"]; + + if (strpos($referer, $url) === 0) { + return true; + } + else { + return false; + } +} + /** * Cleans an object or an array and casts all values as integers * diff --git a/pandora_console/operation/incidents/incident.php b/pandora_console/operation/incidents/incident.php index 63061af002..2e7e22d14c 100755 --- a/pandora_console/operation/incidents/incident.php +++ b/pandora_console/operation/incidents/incident.php @@ -32,7 +32,8 @@ ui_print_page_header (__('Incident management'), "images/book_edit.png", false, // Offset adjustment if (isset($_GET["offset"])) { $offset = get_parameter ("offset"); -} else { +} +else { $offset = 0; } @@ -80,6 +81,7 @@ elseif ($action == "update") { } $titulo = get_parameter ("titulo"); + $titulo = io_safe_input(strip_tags(io_safe_output($titulo))); $descripcion = get_parameter ("descripcion"); $origen = get_parameter ("origen_form"); $prioridad = get_parameter ("prioridad_form", 0); @@ -99,7 +101,8 @@ elseif ($action == "update") { __('Successfully updated'), __('Could not be updated')); -} elseif ($action == "insert") { +} +elseif ($action == "insert") { //Create incident $grupo = get_parameter ("grupo_form", 1); @@ -110,7 +113,8 @@ elseif ($action == "update") { } // Read input variables - $titulo = get_parameter ("titulo"); + $titulo = get_parameter ("titulo"); + $titulo = io_safe_input(strip_tags(io_safe_output($titulo))); $descripcion = get_parameter ("descripcion"); $origen = get_parameter ("origen_form"); $prioridad = get_parameter ("prioridad_form"); @@ -170,7 +174,8 @@ $result = db_get_all_rows_sql ($sql); if (empty ($result)) { $result = array (); $count = 0; -} else { +} +else { $count = count ($result); } diff --git a/pandora_console/operation/incidents/incident_detail.php b/pandora_console/operation/incidents/incident_detail.php index da5ce81544..fdecfdfe3f 100755 --- a/pandora_console/operation/incidents/incident_detail.php +++ b/pandora_console/operation/incidents/incident_detail.php @@ -86,14 +86,20 @@ if (isset ($_GET["id"])) { } // Delete file - if (((check_acl ($config["id_user"], $id_grupo, "IM")==1) OR ($id_owner == $config["id_user"])) AND isset ($_POST["delete_file"])) { + if (((check_acl ($config["id_user"], $id_grupo, "IM")==1) OR + ($id_owner == $config["id_user"])) AND isset ($_POST["delete_file"])) { $file_id = (int) get_parameter ("delete_file", 0); $filename = db_get_value ("filename", "tattachment", "id_attachment", $file_id); $sql = sprintf ("DELETE FROM tattachment WHERE id_attachment = %d",$file_id); $result = db_process_sql ($sql); if (!empty ($result)) { - unlink ($config["attachment_store"]."/pand".$file_id."_".io_safe_output($filename)); + if (file_exists($config['homedir'] . '/attachment/pand'.$row["id_attachment"].'_'.$row["filename"]. ".zip")) + unlink ($config["attachment_store"]."/pand".$file_id."_".io_safe_output($filename). ".zip"); + else + unlink ($config["attachment_store"]."/pand".$file_id."_".io_safe_output($filename)); + + incidents_process_touch ($id_inc); } @@ -123,15 +129,27 @@ if (isset ($_GET["id"])) { } $sql = sprintf ("INSERT INTO tattachment (id_incidencia, id_usuario, filename, description, size) - VALUES (%d, '%s', '%s', '%s', %d)", $id_inc, $config["id_user"],$filename,$description,$filesize); + VALUES (%d, '%s', '%s', '%s', %d)", $id_inc, $config["id_user"], $filename, $description, $filesize); $id_attachment = db_process_sql ($sql,"insert_id"); // Copy file to directory and change name if ($id_attachment !== false) { - $nombre_archivo = $config["attachment_store"]."/pand".$id_attachment."_".$_FILES['userfile']['name']; - $result = copy ($_FILES['userfile']['tmp_name'], $nombre_archivo); - } else { + $nombre_archivo = $config["attachment_store"] + . "/pand" . $id_attachment . "_" . $_FILES['userfile']['name']; + + + $zip = new ZipArchive; + + if ($zip->open($nombre_archivo.".zip", ZIPARCHIVE::CREATE) === true) { + $zip->addFile($_FILES['userfile']['tmp_name'], io_safe_output($filename)); + $zip->close(); + } + + + //$result = copy ($_FILES['userfile']['tmp_name'], $nombre_archivo); + } + else { echo '

'.__('File could not be saved due to database error').'

'; $result = false; } @@ -139,7 +157,8 @@ if (isset ($_GET["id"])) { if ($result !== false) { unlink ($_FILES['userfile']['tmp_name']); incidents_process_touch ($id_inc); - } else { + } + else { db_process_sql ("DELETE FROM tattachment WHERE id_attachment = ".$id_attachment); } @@ -169,7 +188,8 @@ elseif (isset ($_GET["insert_form"])) { } $prioridad = 0; $id_grupo = 0; -} else { +} +else { db_pandora_audit("HACK","Trying to get to incident details in an unusual way"); require ("general/noaccess.php"); exit; @@ -373,12 +393,19 @@ if (isset ($id_inc)) { $table->align[3] = "center"; foreach ($result as $row) { - $data[0] = html_print_image("images/disk.png", true, array("border" => '0', "align" => "top")) . '  '.$row["filename"].''; + if (file_exists($config['homedir'] . '/attachment/pand'.$row["id_attachment"].'_'.io_safe_output($row["filename"]). ".zip")) + $url = 'attachment/pand'.$row["id_attachment"].'_'.io_safe_output($row["filename"]). ".zip"; + else + $url = 'attachment/pand'.$row["id_attachment"].'_'.io_safe_output($row["filename"]); + + $data[0] = html_print_image("images/disk.png", true, array("border" => '0', "align" => "top")) . + '  '.$row["filename"].''; $data[1] = $row["description"]; $data[2] = format_for_graph ($row["size"])."B"; if ((check_acl ($config["id_user"], $id_grupo, "IM") == 1) OR ($usuario == $config["id_user"])) { $data[3] = html_print_input_image ("delete_file", "images/cross.png", $row["id_attachment"], 'border:0px;" onClick="if (!confirm(\' '.__('Are you sure?').'\')) return false;', true); - } else { + } + else { $data[3] = ''; } array_push ($table->data, $data);